<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>kali工具箱</title>
<script src="./static/bootstrap.min.js"></script>
<link rel="stylesheet" href="./static/main.css">
<link rel="stylesheet" href="./static/bootstrap.min.css">
<style type="text/css" id="syntaxhighlighteranchor"></style>
</head>
<main class="main-container ng-scope" ng-view="">
<div class="main receptacle post-view ng-scope">
<article class="entry ng-scope" ng-controller="EntryCtrl" ui-lightbox="">
<section class="entry-content ng-binding" ng-bind-html="postContentTrustedHtml">
<section class="l-section"><div class="l-section-h i-cf"><h2>diStorm3 Package Description</h2>
<p style="text-align: justify;">diStorm is a lightweight, easy-to-use and fast decomposer library. diStorm disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD’s SVM and AVX!. The output of new interface of diStorm is a special structure that can describe any x86 instruction, this structure can be later formatted into text for display too. diStorm is written in C, but for rapidly use, diStorm also has wrappers in Python/Ruby/Java and can easily be used in C as well. It is also the fastest disassembler library!. The source code is very clean, readable, portable and platform independent (supports both little and big endianity). diStorm solely depends on the C library, therefore it can be used in embedded or kernel modules. Note that diStorm3 is backward compatible with the interface of diStorm64 (however, make sure you use the newest header files).</p>
<p>Source: https://code.google.com/p/distorm/<br>
<a href="http://code.google.com/p/distorm/" variation="deepblue" target="blank">diStorm3 Homepage</a> | <a href="http://git.kali.org/gitweb/?p=packages/distorm3.git;a=summary" variation="deepblue" target="blank">Kali diStorm3 Repo</a></p>
<ul>
<li>Author: Gil Dabah</li>
<li>License: GPLv3</li>
</ul>
<h3>diStorm3 Usage Example</h3>
<p>Disassemble a staged reverse shell generated by msfpayload:</p>
<code><a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="34465b5b40745f55585d">[email&#160;protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>:~# python<br>
Python 2.7.3 (default, Mar 13 2014, 11:03:55) <br>
[GCC 4.7.2] on linux2<br>
Type "help", "copyright", "credits" or "license" for more information.<br>
&gt;&gt;&gt; from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits<br>
&gt;&gt;&gt; l = Decode(0x100, open("stagedrev.bin", "rb").read(), Decode16Bits)<br>
&gt;&gt;&gt; for i in l:<br>
...  print "0x%08x (%02x) %-20s %s" % (i[0],  i[1],  i[3],  i[2])<br>
... <br>
0x00000100 (02) 7f45                 JG 0x147<br>
0x00000102 (01) 4c                   DEC SP<br>
0x00000103 (01) 46                   INC SI<br>
0x00000104 (02) 0101                 ADD [BX+DI], AX<br>
0x00000106 (02) 0100                 ADD [BX+SI], AX<br>
0x00000108 (02) 0000                 ADD [BX+SI], AL<br>
0x0000010a (02) 0000                 ADD [BX+SI], AL<br>
0x0000010c (02) 0000                 ADD [BX+SI], AL<br>
0x0000010e (02) 0000                 ADD [BX+SI], AL<br>
0x00000110 (02) 0200                 ADD AL, [BX+SI]<br>
0x00000112 (02) 0300                 ADD AX, [BX+SI]<br>
0x00000114 (02) 0100                 ADD [BX+SI], AX<br>
0x00000116 (02) 0000                 ADD [BX+SI], AL<br>
0x00000118 (01) 54                   PUSH SP<br>
0x00000119 (03) 800408               ADD BYTE [SI], 0x8</code>
</div></section><div style="display:none">
<script src="//s11.cnzz.com/z_stat.php?id=1260038378&web_id=1260038378" language="JavaScript"></script>
</div>
</main></body></html>
